Network access control (NAC) products should support the discovery of devices as they attempt to gain access to a network. Before the device is allowed on the network, it is interrogated and its current security posture (e.g., is AV software installed, running, and updated?) is compared to the appropriate corporate security policy. If the device is not in compliance, it is placed into quarantine, where it is typically limited to the network resources (e.g., remediation servers) it would need to bring itself into compliance. The device would then be rescanned and allowed full network access if and when it met corporate security policy.

NAC solutions are not expected to perform network authentication, but they are expected to help enforce authentication by leveraging existing AAA and directory services and redirecting unmanaged devices (e.g., using captive portals) where identity information can be collected. Identity information can also provide an important overlay to network traffic data for audit and reporting capabilities. The ability to deliver policy-driven access to network resources based on user identity is another important emerging NAC requirement. Solutions should be able to extract role data from existing identity databases and support role-based provisioning and access management based on corporate or regulatory access policy.

Finally, the ability to monitor network traffic continuously and react to threats in real time by leveraging NAC quarantine enforcement is another important emerging NAC capability. Solutions typically employ behavioral anomaly techniques to detect unknown threats to the network. Enforcement and remediation are done through the same infrastructure that supports pre-admission NAC.

• NAC Is Hot, or Not: NAC remains a vibrant and dynamic segment of the information security market. Very large players, including Cisco, Juniper, and Microsoft, continue to apply significant resources to building out their NAC solutions, while smaller pure plays, such as Bradford and StillSecure, continue to attract venture funding. Several second-tier NAC vendors, however, have exited the market, including Vernier and Lockdown. Others are rumored to be close to similar moves. Lockdown was finally acquired, presumably at a fire sale price, by McAfee.

• Verizon NAC Services: Verizon has introduced a new suite of professional and managed services for facilitating network access control (NAC) deployments. The new services are available immediately and globally. Verizon Business is providing professional services that address strategy (e.g., requirements definition and roadmap), planning (e.g., gap analysis and plan recommendation), development (e.g., proof of concept), and implementation (e.g., product installation and integration). Verizon’s NAC managed service will provide ongoing management, monitoring, and maintenance.

• Integrated Security Agents: Several vendors, including Check Point, McAfee, Sophos, and Symantec, have introduced integrated endpoint security agents that include support for network access control. These products typically combine traditional host-based security functionality such as AV, HIPS, and DLP.

• NAP Gets Real: Microsoft’s release of Windows Server 2008 makes its NAP functionality generally available for the first time. The company’s decision to release a NAP client for XP (in addition to the already available client for Vista) will help speed deployments of the NAP framework.

• TNC Framework Expands: The Trusted Computing Group has added new components to its Trusted Network Connect NAC framework, which extend the existing TNC framework in significant ways. The new IF-MAP component supports the ability for continuous post-admission monitoring and control and provides richer options for controlling admission of unmanaged network devices. While a powerful addition to the framework, its adoption is optional and its introduction will not affect existing TNC-based deployments.

• McAfee NAC 3.0: McAfee has announced significant extensions to its Network Access Control solution. The company has announced a new standalone NAC Appliance. The box is built on McAfee’s Network Security Platform (previously known as IntruShield IPS) architecture. McAfee has also created a software module that can be deployed on an existing Network Security Platform appliance. These additions improve functionality in two important areas. McAfee now has a much better story to tell with regard to controlling unmanaged devices and providing post-connect integration with existing threat management infrastructure.

• Settle Down People: The definition of NAC has evolved considerably past its original pre-admission posture checking focus. NAC now also includes identity-based network resource control and post-connect threat protection. This broader definition of NAC is fairly well accepted in the market today and, as a result, vendors will for the foreseeable future be working to fill out their solutions to meet this expanded definition. This focus will inhibit any real “game-changing” product development activity.

• Partner or Perish: Very few vendors have demonstrated capabilities or expertise across all of the functional areas of NAC. Vendors with complementary technologies will begin to integrate their solutions through partnership or acquisition. More broadly, NAC functionality is finding its way into a broader set of endpoint and network security solutions. This is an important trend and one that could extend to non-traditional segments, such as application-centric access control solutions.

• Adult Supervision: Professional and managed services providers will likely embrace NAC much more aggressively. NAC should be a standard competency in broader governance, risk, and compliance (GRC) and security services solutions.

• Interoperability vs. Open Standards: Open protocols for communications between components within NAC solutions would benefit both customers and vendors. The benefit comes not by writing them, however, but by widely deploying them. Unfortunately, there are currently several competing NAC frameworks in the market. To date, there have been commitments to enable interoperability, but not much progress in actually bringing these camps together to create an open set of standards. There is some work going on within the Network Endpoint Assessment Working Group at the IETF.

• Complexity and Cost: As Web business models become increasingly complex, the security solutions grow more tangled for users. Businesses building online strategies from scratch can be overwhelmed by the initial investment of security solutions, while those trying to adapt existing solutions to evolving security concerns are besieged by maintenance costs. Both these scenarios will drive sales of NAC solutions.

• Device and Security Integration: While security used to be thought of as an "add-on" or an extraneous component of infrastructure, equipment makers are paying much closer attention to imbedded security functionality in devices and are actively attempting to integrate security as a value-added service. These moves will further shift security buying decisions into the hands of mainstream IT personnel. In the NAC market, this will most clearly be demonstrated in the creation of a quarantine enforcement control plane.

• Influence of Insurers: Insurance companies will play an increasingly important role in driving growth of particular market segments in the information security industry over the next several years. The positioning of information security products as risk management solutions is helping to accelerate market expectations that information security risks can be not only managed, but also eventually turned into fixed cost expenses. This, of course, is the essence of insurance. Insurance companies will set premiums based on their interpretation of risk, which will drive the growth of particular technologies and approaches.